>Glancing at the ORDB.org nameservers I fail to see how the SPF DNS >usage can be so intense as to be a problem or a weak link.
Do they use IP addresses or domain names as keys? >The relays.ordb.org nameservers are relatively centralized (11 servers >right now) and they are processing 1-2 million requests a minute >(extrapolated from one logfile) without much trouble. Impressive. But a sufficiently well-endowed server can keep an entire IPv4-based data base in RAM, correct? How large do you think the entire SPF data base would be, for the entire Internet, in four to five years, assuming SPF is widely deployed? Do you think it could fit into the RAM for any server in production at that time? Do you believe the granularity of SPF information required to accommodate roaming users, users with multiple points of access to the Internet, and so on, might be a factor in making these assessments? >Even if SPF ends up much much more widely deployed than ORDB is, surely >the design of it is much better aligned with the DNS system design. SPF and ORDB share the fact that the key being looked up is based on information pertaining to *incoming* transmissions. They don't share the ability for the external entity to generate arbitrary keys for lookup, since it's very difficult for a spammer to inject email from truly random IP addresses. Further, ORDB is not sufficiently useful for "everyone" to use. Some sites don't care much how an email is routed to their hosts; they care more about what is in it, and where it originally came from. Finally, ORDB does not (presumably) ever have to refer lookups to arbitrary external hosts when it does not have them in local cache, because ORDB *itself* is "authoritative" for the information it servers on any given host on the Internet. On the other hand, SPF lookups that fail in local caches might require referral to systems that are either overloaded or unreachable, and spammers might be able to predict or plan this such that it can be exploited to their benefit. In that sense, ORDB is not a distributed data base to nearly the extent SPF DNS information constitutes one; it is merely a locally cached centralized data base, and thus gives little guidance as to what to expect from DNS once SPF is widely deployed and employed. -- James Craig Burley Software Craftsperson <http://www.jcb-sc.com>
